4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
Size

1.8MB
MD5

0ae3921bc49574533959bc232cecc6a4
SHA1

28f4ba99a5862cce75fc4b8e8b83c4d7a9b0cf3c
SHA256

4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493
SHA512

bbc32b905652021b0da0018d417bc6461d3f2ddcb96f94996a4952746a4771b98ec56b0bca84d4e3a81ecfef58be60dd68654fbe97c377252353d589e7ef00a5
SSDEEP

49152:2x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA2gDUYmvFur31yAipQCtXxc0H:2vbjVkjjCAzJoU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4252	alg.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
5084	fxssvc.exe
2784	elevation_service.exe
5092	elevation_service.exe
2500	maintenanceservice.exe
2240	msdtc.exe
4940	OSE.EXE
2876	PerceptionSimulationService.exe
916	perfhost.exe
1820	locator.exe
1944	SensorDataService.exe
4500	snmptrap.exe
4972	spectrum.exe
1420	ssh-agent.exe
1584	TieringEngineService.exe
1208	AgentService.exe
3528	vds.exe
4808	vssvc.exe
2212	wbengine.exe
5104	WmiApSrv.exe
4896	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\66b67915aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\locator.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\System32\vds.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_is.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_vi.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_pl.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_uk.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_ml.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdate.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\GoogleUpdateCore.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_hr.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4508.tmp\goopdateres_sr.dll	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d2c03f1c199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091e297f0c199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d542d8f0c199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f86bff1c199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000958095f0c199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe
2856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4908	4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
Token: SeAuditPrivilege	5084	fxssvc.exe
Token: SeRestorePrivilege	1584	TieringEngineService.exe
Token: SeManageVolumePrivilege	1584	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1208	AgentService.exe
Token: SeBackupPrivilege	4808	vssvc.exe
Token: SeRestorePrivilege	4808	vssvc.exe
Token: SeAuditPrivilege	4808	vssvc.exe
Token: SeBackupPrivilege	2212	wbengine.exe
Token: SeRestorePrivilege	2212	wbengine.exe
Token: SeSecurityPrivilege	2212	wbengine.exe
Token: 33	4896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeDebugPrivilege	4252	alg.exe
Token: SeDebugPrivilege	4252	alg.exe
Token: SeDebugPrivilege	4252	alg.exe
Token: SeDebugPrivilege	2856	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4896 wrote to memory of 4692	4896	SearchIndexer.exe	SearchProtocolHost.exe
PID 4896 wrote to memory of 4692	4896	SearchIndexer.exe	SearchProtocolHost.exe
PID 4896 wrote to memory of 428	4896	SearchIndexer.exe	SearchFilterHost.exe
PID 4896 wrote to memory of 428	4896	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe
"C:\Users\Admin\AppData\Local\Temp\4ebaa418b9e0963340beb8ad28b3a942356ac086120fba3e7ac4a20e69922493.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1204

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4692

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
32002c7a657a89dd0d02d4f447aa5bac

SHA1
37b65f8acbd7312f0053c3c29525a655eea56901

SHA256
12e06f44ad84925c199875f6f86cb98242f771a7935ae4af40a5fc4ccff4ac17

SHA512
53363a3cf3fb184df5fc15c4c0ead8b68eeb295f4e8b6f44105a74ce31ff43543514e7a1fa54f32d035d933c9414291e352cb02ca6e85f382ac9932bb6ba509d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
ddf416c6bb753e9a5f042a1cb081632c

SHA1
18b62c51b60a7f01ae922c0f2772d8370e93e95c

SHA256
28f350a674243c1a1c8575c1850bad192b279024a616da9bd602b7f9b1d6ab6c

SHA512
e28be8f5fd1ee66e670f4a8f7e04fed483e220ea2a9cc6afaf954f584f345647dff93196578db9d67f1ba5d9387f79759300319619b6d3271f269d2ecefaf481

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c840b637dbb1a6fc03fc07ec715a213e

SHA1
4fd3e591983e8d69072a4acb11dd3f543e7befaf

SHA256
36c32160bcec39c9543125ccfe7efa653bc1f5fedcfe80c3b541f5a70eb99035

SHA512
e82909ed9f578154c61925f296afaab4558ce76dda772efae9cb00d1033ec258b70ddabc957055ffb841d9b89e5ada2350d3f7d75e17a34beadab84485eadae2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7bb29a93b4c8cf79e2a4b94bae5330b2

SHA1
6c3432df356d5dc6a1d03d923cffa6c5f3fb49b3

SHA256
b358caaf64be6eb593eb1e079ceb1d37a6d4a41066a3076761905d2e240f4077

SHA512
5ab2fbd9026a10bb5ccb6e25302d77e0aef142f4d9e65574511a31c3cf964c4c308d7440a59354d87b8dd6a87e96c1abf0397776e7e5279e5aaf28c9b8021429

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b7ffcb6aade860d495bc047394d4757

SHA1
89f378f45f5fbe2e510c7ae9392a48f7366dad13

SHA256
eb4828f653a37c44a598b1d5daf7cfac811e30321398c05b9ebb3bdd19148319

SHA512
b16728c99f930ef35eecf79ebee24eab8ff6448e6eef645fa56c032a3d10e740480a6cf498be2fd274e4eca210ccad78357490dc024e62de194d71290b4af3db

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a13169d7a8210d4b740b37ffe1d7f7e5

SHA1
013d03a9718a9fae1fa9dd722a29930a4bbd2b9a

SHA256
865e5ba11cdc5ab84416441b1abd1307227a62b264ddbcdae295f3729bfbc8c0

SHA512
1f1edc233801a843546ebb536407705c49e02236e27f81b775d5b4abf7f253c4762f5cd5902283bc509af5d8b077fadc52271422da8569872f9881461e6bfe45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f436f7477311f853766e56715bc42e01

SHA1
fadebcb6fd690e3116c212be093753ebe0cf32fc

SHA256
5e40fd1e7ed57aac2b69c1467f8cf1f53ae95dfee24e0a58187127be0c90999a

SHA512
b879d10a56c5e3fed85ba0a66e9cd448e70315ba9cf90b539873f931992d9dc068b21d02e8d8b93552b8cb58a883f4869343e801b7e1b63d5b061d19a4ca682d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5e6d0e63cced138758d7fbb951567772

SHA1
906cb71f7d355939d6b2e1a079a38e6c3eb673ef

SHA256
0153874ca0b7ad6d278b3d35a0897d0f0eb983156a7c88d6c60feb147ff0f5ce

SHA512
2c4bcb65da15eacd1531be3046763703a62f90f7406d9645ec76133b6824106e922bfb8081f6d836f696ed95a4e134afde9b444049205f447132d8cd93245663

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8bc49322a4e6211f61bd0e7012cc5161

SHA1
c5debe5b74953cf10262cc888d7534b483d40a00

SHA256
f2f4bdbbc8eb8615857d3a64c549f3555403bcf7cc0f7d9c8f00d974395f927b

SHA512
d922308fbefe8649427142d0d9dfe289be30771f4d1d61343be561a6b885c106033d68f49c1129c105c7090e753ea2f01221371409cc4a035d6aa37dd04ac3ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e7ce7f192623f1b6f8e159c0c6390ade

SHA1
31d8e6e8ff181ef8f33466472916a9f7fa3226bd

SHA256
16c1fbd5b00a8a430230e41d9565e79dff87411b043bbfec08c753b34bd20c99

SHA512
de2a8497c61810897dfdf6e06db46d83b5c5a5d57d2dc3be9713113ef84ee0c03f0367099861e58e1a62299b934f19c5b6c7ce0ab8b651639a2548aeb50d48b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0276aa77bd0029069b0fd2c3c2656a47

SHA1
40e8aa7e54edc469bc6c9f7db7a894daceadb377

SHA256
820987171013ddacde1f3c614ed36726d58bf70e20e3a70cd90106c26c5a4648

SHA512
840f091a8720018e56db238a0259c2cdc01a1419e2330bd1be7dab6ea43009e0edf051ea3394cb2218b7430c3ba2fb4e1e5616ecca13c595163024d53cfbfcea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4d246f556aa7e30b9a61d34fda0c4e7b

SHA1
83c932ca8a62aa7ef3faabe457a69c4a868433b5

SHA256
c152e50d7767538c069516dbe144b398775998663cedbc6567174a41a3c5f24c

SHA512
dddbd0ce9f82a14b977c84e51a0842b2350d2fb7a3facce9c6715d503ce6217be7640367fb30d99907b7cd915d210e7c7ebbba4bcaa0df596bde6a3243ed92ae

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0cd9687bc5223a7ce1b1efe743663d54

SHA1
9cdc32642287a95209c3c5351de8012c460635c9

SHA256
adadf1e8f430499184fa30bf53dfb0aa994290d0fa8ce9645eb9230f75eec884

SHA512
b7f5ad5457831c2798e98a72493c289870625a3815836ae9edabdd7848842d9411d92a7ac2fb03720725ae8c64dd273c4c65f4638b1b83f4868d36278885d71b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
113cf812fb4f2aae0164e73cae08ffa5

SHA1
e349967980ddf7cb7bda195a9dbfc67dbba0c0ac

SHA256
61ac0deab4523cc30d3438de80752185c1ac1e5659d615570946d3619bb36b47

SHA512
ba6159d1d1919e0efd82fe697687640d11ba878ca208c11a4ca7459931fa69d914af77ad1ecea4746d563faa8cc489c62ac3c1b4fac82c175c161ed10abc564d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b5b15459f09531798d8663855df22c58

SHA1
3f4c4e6a0abd71256ceaff362c6f9440ae867f8a

SHA256
7500cbaf48ecdd3b4420e98fd7482e86901134ac1323663a4134f13b86f59eef

SHA512
c2c9f4f3e7128c85dacbe1e2d4a9903372e6dfb6c9374c38d6b0b95c7584e08178d0d9a46f9e27e8bddb9ea57f2659364c72f625510b4bae4e9fa10898fa6a7b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
b9bd9fc1867719ad6bc8cf3172d82bd7

SHA1
9798e3b1920f3b9578f54c09f73a5b74d9a92f6f

SHA256
13caa735cf1ad22a04e73e03d15172384f1718285c747a4aa92736162f101e4d

SHA512
b27c8bacd7a1cfec8e2f3c8a2046e06fbd6e549e9ede21359e7966260c9904ae0212e539f6c08750e99eba0aa7468a55c72d2c6bf52cdea872235b1ec7873746

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
aee4a89e59f8c7fde08c755a2991c638

SHA1
5a91d3d84dc6946b51465a891cdd156b8a19d611

SHA256
f81030b67b3eefb1d6732d817258212e0761b836048d2725898e9d9f49ec612b

SHA512
ac019a2735d96a52e9e78d10d20e9f03345c22f4d655ef2b0c482f25f99417b94516f8472c242990c9c59e9f360f96df117c8e1caaa6c763f4329495285764d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
4f28c8ab972e09b5bb1d034b6a7f9a2d

SHA1
4155fb185c62e2b64f297576768149e739acca5c

SHA256
c04cae796f964d9501f3e4d4c3acc549db9fc4ac7065c125769a1aad3f33adae

SHA512
343e36b04fd62ec7fef3c9ac6887c7b92ef0f16977cebeb1fdf487f97a96c48b43dea75219f623fab0a36e9e4581c6bd49e58d936c643059115de54fef4eef93

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
48bef21fa3b3e335b4788785b4fefeeb

SHA1
f6afc077b14dacbd11340c3b43d80d242e2dd9ad

SHA256
91e40f4fac223b9a3755d6727d130ffca0b0b93c640a64eca0439ce9cd4f5199

SHA512
46169e0d9230a525b44344b5096ed05163b1b0a5569bc76f428c0a30779377025c2d85bb73af99ad0c77a22cd4dd801b5f9c7e416aa9e654918b40dd4532574f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6783d4c8021d821425ec1641fc7e7e59

SHA1
06c90b6a46be3c8490070142e64dad2994284259

SHA256
f2f67a51a1513dad0d4f0fcd2a57c27221ba3064d5b1f279ea541d7016c72f61

SHA512
38d50c43d07f8e57948ceb19af1191c5f1a3e48ed97193c8516ce243607dbc1021f64b20270b259c264af380c00852b94a924bee95cb143a98b139808f6b2521

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8fb5e3a99d4fd204a814124129d80d76

SHA1
5b50b9aa9e62e5feef8180cd745b76cfdc32d870

SHA256
340a2179dd896c38ea7e79fb596c39453e1dbe9f3dec46bbfbf5ceed5f73b8a3

SHA512
133f3b4061f0176d5314086dccbaba75f31ffbdd7472276c6181d96735f28c327de01de5d444fc3d3056bce7d3e2e5fff9cfd268efaafcb418c76aae1f34e2a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5873f11f2bea7cc68d23df7b78b18886

SHA1
a7538d47a896ee50ba2c277568d7792a3f84a31a

SHA256
2e91008394a79aeacef89846f6deee86cc4388c4938e3dc192ad6c6289873016

SHA512
99ddb53caf524dfbdff20c77b39bf3dd114e16016b28fbada2fc957141860ba54e1e7f6f982ce9262a3064262df500689bee7fcae543d0a3f36155f0e094e052

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
337ab561f7d75e14dbd20aa46fda66aa

SHA1
8833729ee9f14b3159fa7bf107408c6a2fdffe7d

SHA256
a64bfc003254195079d7283a66e2d637ca76f40038c2c56ea2f7c606432da2ec

SHA512
13a4c147896b0ab74657e46bb5e07da1b8876cb545e5842681a5a61b1876b3a4dd4119384f19bd696b43a98dc85347f2a8317836f591c06106d30fdecfefbe8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
29744a78e576f3cf6ab6f2d7ab737f42

SHA1
6ff7dd65f1f81b30f2c4c1714c99fa37b9437e46

SHA256
3594cbc6ded24db104216480b916f0272d89b45735b3bfa1287963cc77a944b3

SHA512
beb19ee894d2b393b9ccf741eccb3ff99cdf3a070b491bbaca0e9587a536decd97cbb5430212f3ffebfe6d9d90da86786437c294cfe8cb55267bd56c01c65603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5d42272f44b0ab3b05c107d5c349f6fa

SHA1
3e29b41cc2907cf1de09bfc404e5f0834044e053

SHA256
6f669f8aca97f1493c056d3bad830d55cd139e60911cc378e4e7f4561c4887cb

SHA512
bbe5da71eeaf596b0a07845570fdc9d54741dcf8dc637192fc23b67dc1c8cd4de11ede0db29579e508ed841f40dcf1e521685a14bef056876d9162cd0e8e3bca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
994982c253c70b658d5a7c6073b59eb3

SHA1
82ada7f7bfc74c0f440f095da9c65496b42ae9a9

SHA256
1abb975d11a3ee2347fcb54c49e6eea7f73fdb252c3b605555c88a3ee74b963a

SHA512
9f559863dd552891ea95e65a28dcd2f62b89912033b0d39191808ed964571289a3247fdab08a7571db2356311fce860566a84e7fb155cbfc89107f12afa43183

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ee5374c44f5f15aa45eaf50fd141376d

SHA1
3ec1d5127e1859a3090305a3d8c0af8af0f583c7

SHA256
d7ebc84aa36bf3424b8c2ab4a85ed04d4b9a0de254d39d92bf1effecb7ffad48

SHA512
10791e68dc3c1e76a308cb2bcf82e4e0784eea62f040c9ffcec0473745f8ded52d5995c9b01e892e2decf3bcf5944e7adf37ab149a120d98c29e3ea7df6b505b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ba41bc6503be08e7c97dd3289275ab8f

SHA1
cda70ecc449d68f9da35eca67bbf35272d2007e9

SHA256
c3a61e4e5155526e4fcf879eb534572ebb20277d57815a7cadd89780781a2a13

SHA512
6c587a74c605c90d18b8840e6600efcc2ba7336c092eca5520685aefccf04f6fb5aec8189ce978e9531e1514e8470fe70e2e7e415160085671cba29e10318e96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b7a8f2572b2f7b2336b22fa579d52df3

SHA1
1df47c9ab48c98c27b9e95c9d7ae8c91a0e9e860

SHA256
b01bf3fcee459a7725808954b8ae939db7262a82215f63af908aa4bf93144749

SHA512
a866dbabf2301cecd1176b4c970650d4dca126a4cc3e0aed6aade670c5f271db5da2ced7e312f35eabfe9d502f88ca4626933b3bc5543ce5051a4d8e560fc78f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7ed2946fc84eb6a2e6ed3e105126c28f

SHA1
52b3290f5f2d7de19c9c755dcd173a14bd25829d

SHA256
babc68086a8413e0eed830ca5a0728bde2d720c525a723d41cc670064dec3f4f

SHA512
c40b66e1dc0fe660bf12236b7797cca5956e387d220859d4a38015a1730c16f1f2be00bcf644ca1aa7998cfb53048536ac4a061e00e094fc1b03d9797efb9e56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
84b7927140ed740d1191350135dd5cbb

SHA1
42eb17036cf1bf07c48d59b49f83f575d017cee8

SHA256
9c47415186e5676afe57a69341f219da45968f988ff0c144356848a71350bf38

SHA512
f35b8512fa094a6421ad8c6d01e946b4f22f85d262f86a71ca92e729ca05449c5cc8a6f056329cbb89a1b89e1d46b6b0123b499559d9b350ff505b78d147b819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f480100ce1302bc4b80596a9da2b562f

SHA1
824d19ed1c5e29f783a5e803988abc6c70851204

SHA256
14148ffbd64312c7fa7fbd3fe053a3354aa1e89ceb586932958eb347fa4cf5c8

SHA512
dc051967b0ff227fad568f033b5eeee9bc8f3be582751d1bcdfc2eb10b6bc5aae1edb2cb10c1ce3a3335d436cfb51bf05347fc253ed554aff2d3ab06db13b87a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9ad4fbe5c0ce370a3001269c0b24e754

SHA1
03c6ef4152d11d40c71b4915b57c4d1ccaf2bb91

SHA256
96989c99ef57988c62d8de3e7eb34c53332591a06a9f9199544e0e95886df9a5

SHA512
b88fe90fd53ee1879b5fafa3f8e7022f773d0d78338b7c6a473ad4faf9d0a66449f0ed0527730369c0af036a86f6dfec90a5f60deba61b0547a7d5ebafbff61f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
631ead5ab53c6e31818df8a5b76caa08

SHA1
74537f3fdf90b7b470cb99c04b644ae1df6edac7

SHA256
ef4339af1264af091125498bbc53787fa4474ef5276828d1286eabc4cb725c74

SHA512
91b96dae5d847063f08fa9459ef6d95b76a123954cae071c2fd22e180e3fc292c7ebd13cabf7e1bbf88bd327824d8d41fa9b6eb1434ca8e7dd0d2cd6b77d7689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f8a1d89fb5e0ec79aaf12eb8405ea244

SHA1
8ba0a5bc2d4cd0d53e346486525b1a5bf37ea968

SHA256
1bc8d25507021346201f50d98aa4d033a1f6111cc5677cf1c874050033c50b0c

SHA512
24b2742acb13320483604025bc14082a32dfc40e76b3cec623899f5509fb8f00f601b6271246dcce96725ae750465e46dac433e1a5ba183bf42d78b596bd45f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9fc86842495bf534c04f5a5859d20b3a

SHA1
3b43ff05147285829cf2580410b4a1b21d993c8f

SHA256
0e9c370263fecbf4abefcad3b283bc8909c9c5c102f28bc7ae004c64f8fd8f3f

SHA512
240a10d0692abbbb6f50bd727abc2b0adbd0e62c99d7efbecda3a4423fc9f2a353db3af69050017bf81e53b45e131d0a09ddad2f9369da2b2204033ed850c7cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8a18bf494187182e31aef03fcd75eaa6

SHA1
cb54b43ad46004ecc8e64aee379465a308a5f3b2

SHA256
f4dffe98b7f2d022ab62be5a6e762c85ca9233f8b6885a66a798507a1507de4a

SHA512
fb0cc847fcf1c99ca46675d599f449728f16e82641dc63bfe3948dd15a9a1d39b1c5ab9dfd49bfd23d1857e23de63ff26fffa46cd0f8d7e0a6082084e0d08492

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0e4bd61b33cfa1f3458d3fca311082f7

SHA1
8b734f8390a8c76b124cb62e0dab33c7a9d16751

SHA256
67336bb520c3e3b9fc70e0275da0798bba26f6411957647f8206c6eeb01dc832

SHA512
887fca73b20e2d4c983b2cfa20426381500c54bd2a9a30fe996bf99df9dc5fcbf912737899f76983532f8a8e490f58ae8b5dfcedce4d0e9065fa09b11f1d5db6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
928ab180cff496a83a137157835cae0e

SHA1
a6862069e214305b3ef1e786f437a21b555cafe3

SHA256
381c44ace9bcc2707cadd200acd0221daecaa9e4cd2ee9b895409b3ff84d8cff

SHA512
cb6eb6e50098cbf715dad2ede4a53abfdb61d96d2db6d2cfa00df0d7c171a6b71a7c099b303a6df82c9d0c9a8c24afba72efe3261a102ab81759253e53c4431c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0baf48a4faadbfa068ac7de2f4caf8ac

SHA1
20afd826fcb744011be6d5c93042f2b92db645df

SHA256
a9868fe74ed6cab342bb627303c3b06fc20baf484ad1611468efa9066d7f51a0

SHA512
e7757de7e6c62b5aee3c3140ec1c7f3d755fd8148dfb0c23f9690ae480179beaf68ff9b9e00526004923eb2e5a229dd5c4a0c92bc48da39f28ef07caac909c9f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
08f1c1abfc7c213354de4886fe763cda

SHA1
b2f52bbe862538cb91afec820998732eb4e90dc1

SHA256
696e0c6aa96c649f5f2e84e99997402b2dea0d4e6d788cf9146b0715882fe2fa

SHA512
c0b7821902681f3f1790f14425b7d768f71e2522ee5ee869f2a19ef87cfe55dc121c93753d44b111d9c0449e837b490c056a5390e00d4166b665356178e8798a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
54fe68f93fd5546ef24a59da0c152327

SHA1
f79e77436d81d65351298271e907877b09e2581f

SHA256
392d7afd09e7f363cdc64e710a3b48691885f42a3ab27210d83b50e88c84a03e

SHA512
cefebff52b9c7f9809264f2ed9d99e6da841578dbf184369fa74342b44d8126adf63242006ad3eb8c18f384b8931297ba5a0f1a1e7baf0a42ec361176d9c1d28

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
01ed76c66c284904439df09fa9834780

SHA1
394afc56195285736fe16c7ec24c1d3bbcb5f93d

SHA256
e0571a6d1418665f8ddd6bffe35d89164e56085d5e6782aa890303f0220b37c6

SHA512
0af040cb935d5a0c0e22151f9cdaecb7a0d688f92c11306052c479cb13fc22ab622b237a8b509c0e904e7cae883faa360357a2912e157f12763ca4c33951a974

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
e3ccb5323be0db8a1d5729f18e61a3ba

SHA1
9e9a1e1aa348118043834c4fcf1f359783e99130

SHA256
abf308123811d44528633f53b75b58e8c1c23f6e2445f6d98ae573aa047aa586

SHA512
595c61f65d30e793b3dcd9b32233309a8e729cba2b63e32713e60c47cb3d1dbb5c21ba2c0b34b25f1356b84498570ec7bdf76427c8f0fd55bd6f95268255cfd1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6a0b08d13a537173bbf5704fc0a021d8

SHA1
031c313eb8428b602b311b55f365c22c472602ed

SHA256
ad452ef07865fb7aa9c97dca357febd654507fcfa632678f082ad3d2f792ab4e

SHA512
eb5444f5709ae63f1cc73e309112ed0b8bfd6c5810afabf6580dfd45d7ec324026c72d5b4bf9f9c88e5adadfba66db52e5d0e80440553a0c6a29b695e7a2ed42

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
642370a78c4dbb4cd0a2fd1021298a81

SHA1
7535cdc4637544c41e3604250de3de6a22ccdd6e

SHA256
c096eaaa4fe974706ca9b79d07faee8fc79c4e8a034c393eb6828998da4e8f8c

SHA512
1afc4ddd4e3325dcab9bfb97dae998e35fc112795a88f3a001794bda5e309c6ed8983a0c302d1e6ba65bb05fe9fd33307f47cacbbae73e3c2c5720ddf418ad52

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
013cb87b93ba92960ac2b514a058441e

SHA1
bca29aad7dd4700c63c4256d716f9f908278f50c

SHA256
9b445c46b7bc19b32baf27bf3f560b1838897f32a433a4c342bbc94730072018

SHA512
42bf952b435b5f51355755b143fca35d4f4861b3225533eb94f0b5da6a4d8ddc8213123b62505a9c269b65a2045a3621fdae09a5eeb6401f394e318ee9f41ed4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
402f92fc4dc545ecf7d27b2e79740366

SHA1
710034ee1488f46871d45ec2feb56cea4d39f801

SHA256
982a79832add12780c6d9ed1579dcdb682e9730ad2a6cebb175704a5a26e949b

SHA512
3e3b1d2d400d6a652ea0ce4344968c96b0263ef4e10ada3fd3b281aa0fb85cc4d399e6d2147405e671fc98e485a253423c9258c05401f6288ba6f6169d0e4865

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c196d11f9e9f99d02f5cdb7ceb9d7705

SHA1
455d21df0da668a3f7d65c3ae9c00e2a33a4da76

SHA256
4a1f6bd6a9598a41af11782df321d64becad65179315b6466631472f04ab8555

SHA512
8ab0489ea5bb1a1479d9152c105aad32a666a14efe9619d9d91936607b06a8bbe42fa2afb2c99cea2486fa38dc6786a10377ba4b93f77be9fe8ec6577d897e4b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d1150295725708080288132fec6ef4f7

SHA1
d679680ce25c333df9ba64d3ee664d78caf1620e

SHA256
4705e09cba4aade66f2476fc1a78730e2672cb222c4180978ada9e89df1ff898

SHA512
204212520ad069c6fb97ec8059c213625fb98173b264dbfc6c58d0d6b96d3d17cb6dd0c33bb09d354b811e9763707008786dccc157c64331eca1d991e302cb0e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c99c2039bfe301d09d3985011fa21195

SHA1
c7f9f0309c21861287d8ba5c0f1e674a01fa8f6e

SHA256
1c4011951a632b28f5817bfb6fd702858ce537a7f487727f8e69b157169a921b

SHA512
656bf7ce96721e3c2fec47dcbe36caa8023a8cec2bdaddd4282523c1f602e15cb9e6ebea6ef5794b20a41baf95d880b602ecfb27b82ab723354210fb97da0790

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
63ab5ba5538809f18ab37ccd138833db

SHA1
de856fe31199c0a55a81080b42e1e2b91c061ca3

SHA256
5e4dbaa0dc8c033d1d703807ef6e0ef2a6b71f588484ce3b24342c3d264e5426

SHA512
07eafc3bf484595358a16ef1f94d2f9de8e7dbd6af959c78fb1760f4d5c0c4f18a0b62a16106dfc357b3527ddd111c0976960f12c0eac618e3d8cc64d5ffecf8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0b52f0ca906041add873d2db13b8af30

SHA1
4072b98f78e7e108ef03a507e0b175763bda6390

SHA256
eb98184accf00c77ef918d313c3c879c3098f49116f1325d5089ec8a4e0db4e0

SHA512
fbc4df5b31b45f72bc5c59542e1e862f1bd99d5b49f7cf59dc1a4155250ae6b3ceb4256ae908b28c8993dbba92dbe59e689d2081da2fdaff161cc6c741ea7f65

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1e9e807dd93c9b4bc8eea8e99aa45cf0

SHA1
fb3bdc99421c740617cf6a8b6d6c2892f61027f5

SHA256
5bb9df5d1f8bd348df08d93e6ed94c4f02c3ea7cb8f5909e690eb3c8fceb6855

SHA512
c458e560dc109f18a6ef68eb4b7b47f47404b101271f1b5331df6f571bd50acc927e3c4cbe061b28f2b311d4e376249531f7d97b7b512376659898769a7a862f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
127a21d3d8990abfdd82842c482f1e73

SHA1
e1f5e2b0ec539e7fffab3f3d9c60a4fd5385e044

SHA256
04698d97e384db95397de1220c406850e23e0faadcf3298ca29ac14549419a8b

SHA512
281bfc3551998328597479da842853eff6f12a09f4f4ffaf015d22b529f6e4ee95e1648c07c33bb3431a2375cc175d0fcd468b6c499ba8edf78960240fdd9d05

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
94ce5d0304635a42d65368f22685df15

SHA1
ccfa279add7e2b2ff5b798d704487b890a9f9ad3

SHA256
4b155598fdb403958d581b49199f80f8d268c37dd0e9b947dc6d3ac26399b589

SHA512
730d617a0c1b136b0bedb3afccfbe87beb0e7910d48fcfa062974d88002f53f7d7e9d192e3d33b021b0fdef20fc4c88a9b0c9364ee6243da8562b52b9f3a0c71

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
caff797122487e2197dd0b1ad4167479

SHA1
57ed34428ff84ae3ceab808c5a902558ca3ca99e

SHA256
e6f21312d825b7e9a3de7b36d1370d19802469e317c50d5827b4ae235e64454e

SHA512
3d2b41a948351f1c967f132f3dcb694fc3e089585235cd9d763be33b8c88a0db23be32a8bded12962e909c6174e8836bad2ba05d01df00923e0dcf1675a6c0a9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1210ea9a0a0589531a3745f84e9af8e8

SHA1
9cbf5aff56211ff82f0ddeb5e88adfb95e970aad

SHA256
2a7d69f405738ade363b9eefb2cc369682ce3cc30ce6515e8a3e8cac98cded80

SHA512
a24c8f2db847eb9deb54033f2f13bdb396d968b8c9b5092371e690116f5115eb074dd27399c1f03576713c94ccedd18b7735bfc337b9204a130fc6cbc102353f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
825613109afc8aa40346d701318bae75

SHA1
ac9b3a9dd73bee5bf0505d79690336a30bade969

SHA256
8ba609216d5e73b02ac8c6d35fd2ad66828c06b0fd51c34cc6d38c653c043b41

SHA512
aac98965881aff56dc9f8a5212b7734a17cabbf1e66fbc65e2f0d00e3ed0d1f77500812118d4d4b376d1af1fac3059b78e51cd892e5246769fe0be05a22d0f40

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c216337ad5a80eb3d0a4ed0536fd2b41

SHA1
af7a05c42879826b64c77bf248b493b5a550e3c6

SHA256
211dcbf49f27f97ef80873b4e1fc4bc35be3d8ad8a31750a4afa4f69c1661a32

SHA512
d25ec6bfcd3f2be077d9f183546e8d910f1837bc6b3f3542da900828921e4dfff38ecf120c9e1ad9aa1dc35ead78aeccc6744e710ab4dab56afde59e641d012a

Download Submit
memory/916-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/916-311-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1208-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1208-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1420-253-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1420-723-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1584-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1584-724-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1820-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1820-323-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1944-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1944-671-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2212-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2212-729-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2240-157-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2240-167-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2500-147-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2500-141-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2500-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2500-153-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2500-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2784-125-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2784-119-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2784-127-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2784-247-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2856-43-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2856-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2876-189-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3528-289-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3528-727-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4252-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4252-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4252-188-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4252-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4500-515-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4500-228-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4808-728-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4808-300-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4896-345-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4896-731-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4908-1-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/4908-8-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/4908-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4908-150-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4908-593-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4940-178-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4972-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4972-672-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5084-111-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5084-105-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5084-114-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5084-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5092-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5092-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5092-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5104-324-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5104-730-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download